[Zope-dev] Methods through the Web (security?)

Ty Sarna tsarna@endicor.com
17 May 2000 20:06:00 GMT


In article <613145F79272D211914B0020AFF640195A719F@gandalf.digicool.com>,
Brian Lloyd  <Brian@digicool.com> wrote:
> > How come you can browse things like the objectIds and objectValues
> > methods through the web? Surely this is exposing information 
> > that people
> > shouldn't really know about?
> 
> You're right - and stop calling me shirley. :) This is something of

Hmm, another ZAZ fan :-)

> a holdover from the bobo days - if you are a method and you have a
> docstring, you are accessible through the web (but still subject to 
> the std security rules). objectIds and objectValues are a good 
> example of things that really only want to be used from DTML and 
> thus shouldn't have docstrings. I've changed this (and a few other
> iffy methods) for the next release.

Won't this break Amos' XML-RPC-based editor and similar hacks?

Can't you just turn off 'Access contents information' permission or
whatever it is on a folder if you don't want people to call
those things trough the web?